OIDC Refresh doesn't work due to bad expiration date

[monnierj]

Describe the bug
After configuring the OIDC authentication on the UI Server, the initial authentication works, but the token refreshing fails with an 401 error. Our identity provider is Keycloak.

To Reproduce
Steps to reproduce the behavior:

1. Log onto the Temporal UI
2. See that the refresh cookie has an expiry set to the access token lifetime
3. Wait for the access token to expire
4. See token refreshing fail in the console, and subsequent requests trigger 401 errors

Reproduced consistently on UI Server v2.47.0

Expected behavior
The token refreshing should work.

Screenshots
None very useful to be provided.

Desktop:
Consistently reproduced across systems (Windows 11, macOS Sequoia) and browsers (Firefox, Chrome).

Additional context
Using my browsers developper tools, I saw that the refresh cookie life expectancy is set to match the access token's one.

On server/server/auth/auth.go#L115, I see that if the refresh token is present AND the Expiry computed field is set, we're using that value to compute the cookie maximal age... except that Expiry, computed from the IdP response' expires_in field, always represents the access token life expectancy, as explained in RFC 6479, section 5.1 and section 3.2.2.5 of the OpenID Connect Core 1.0 specification.

Decoding the refresh token, and using its exp value seems to be better suited to me.
Using the offline_access scope doesn't change the behaviour.

[Etibru]

Some update? This bug is really annoying 🙁